Do You Want To Play A Game?

After sending out dodgy links and social media messages many protest that they have been "hacked" when the truth is that using the name of their pet dog as a login credential for every on-line service they use it putting friends, relatives and social media contacts at risk

Video - Panta Rei Danseteater 'Lullaby'

Norwegian dance company Panta Rei Danseteater, late last year, conducted a little experiment whereby three dance makers created two pieces with the same name based on the same idea, featuring three male dancers and two musicians, to see what the outcome was.

If you use social media of any kind or email then you have probably seen, at some point, a message or a post come in from a friend that's just a little bit weird. It might be a lone link to a website you don't recognise, a plea for help because your friend is trapped in a foreign country and they need money to escape or some other foolishness that most of us recognise as being spam.

What usually follows these emails or social media messages is a plea from your actual friend not to follow any links to websites and ignore any messages sent because they have been "hacked". Their accounts have been compromised by nefarious actors and they are now engaged in a life or death struggle to wrestle control of their digital life from some grotty teenager living in a basement somewhere.

System Breach

The simple truth is that most of the time there has been very little hacking going on at all. Hacking is deliberately breaching the digital locks on secure computer systems using advanced computer programming skills. It takes a lot of effort and, despite what most TV shows and movies would have you believe, a lot of time to accomplish even for systems that are not very well protected. Nobody is going to all that trouble and effort just to get your Facebook password.

Hacking does happen of course but the targets are usually retail companies and other large corporations and their databases of customers and credit card numbers. Such attacks are usually made possible by poorly implemented security or not changing default passwords on various bits of computer hardware the company has installed in their buildings.

So if hacking is not the problem then what is going on, how do people lose control of their various social media accounts and their email? The simple answer is, you are the problem, or more accurately, your terrible passwords are the problem. Your terrible passwords not only create headaches for you but they also create headaches and potential security threats for all of your friends and social media contacts.

The reason compromised social media accounts send out links is to either drive traffic to a website for ad-revenue scamming or download malware onto a target computer to either steal more data from the affected computers or hijack them for use in massive "botnet" systems that crooks use for all kinds of reasons that generally make using the internet a complete pain in the ass for regular folks. For the most part the crooks don't want to read your email, they want to make money and your terrible passwords are helping them do it.

The Common Error

For seasoned professionals and luddites alike passwords are a pain. They are a pain to create and they are a pain to remember. Passwords are also annoying to reset if you forget what they are and forgetting passwords is one reason that so many people commit the cardinal sin of password creation; using the same password for everything they use online. Criminals love this behaviour because all they need is your email address and just one password from a breached database and they can try that combination with every website where you might have an account and they can do that with automated tools and gain access to your entire digital world in a matter of hours.

If you have a different password for each website or service that you use then losing one password to a crook or an ex-partner gone rogue, means a much smaller headache for you and your online contacts.

The simplest way to handle multiple passwords for multiple websites is to write them down. Before you grab a post-it note, write "passwords" on it and stick it to the front of your computer monitor that is not what we mean. Writing down security information is not ideal but it's also not a terrible thing to do as long as you obscure the information in some way. Bury the password information within a regular document that doesn't stand out on your computer or smart phone amongst a thousand other documents. Don't use the word "password" at all and don't use the full names of the websites related to the password.

All modern operating systems and web browsers will store login credentials for you and they do so very securely so you rarely have to actually type in your passwords but an obscured, physical record can come in handy if you need to log in using a new machine or on a computer that is not yours.

There are technological solutions to password creation, storage and retrieval like Last Pass and 1Password. The idea behind these programs is they create the login credentials for you for each service that you use and then you only have to remember the password for the password manager. As long as the password manager is running on the device you are using and you are logged in then you never have to remember another password again. Here in TheLab™ we have found these programmes to be a little bit flaky at times and they may be a technological step too far for those folks who are not too confident in the ways of computer operation but a lot of people do use them and they do create very strong passwords.

The QWERTY Problem

Actually creating passwords is another problematic issue when it comes to online security. Too often people use passwords that are too easy to guess using social engineering techniques or can be determined by automated systems using a so called "dictionary attack".

A dictionary attack is attempting to determine a password associated to a particular account using words from an actual dictionary or custom collections of breached passwords to see if any of them match. The first thing these auto bots will try is "qwerty" or "123456" and "qwerty123456" and a multitude of others to see if they can get into your account. Because these attack systems are completely automated they don't really care how long it takes before they find a few thousand hits.

There are many ways to create secure passwords. The longer they are the better, and inserting random characters, numbers, spaces and capital letters is always a good addition but there is another way, the Diceware way.

Diceware was created in 1995 by a gentleman called Arnold Reinhold. The system works using a list of thousands of words and rolling five dice to create a random number that corresponds to one of those words. To create a password, you roll the dice five, six or even seven times, depending on how secure you want your password to be, so that you end up with a password containing five, six or seven words. Adding in spaces, a random character or two and a capital letter makes the sequence of words that you arrive at for each password almost impossible to guess, even for the world's fastest super computers. The resulting passwords are also remarkably easy to remember because they are just regular words from everyday language.

If you don't have any dice laying around then you can use random number generators like Random.org instead. The Diceware website recommends, somewhat comically, sitting in a room with the curtains closed and not using computerised random number generators but unless you work for Mi6 or the CIA you will probably be fine using a computerised number generator. It can be tedious to do this for multiple websites and accounts but the resulting passwords will be very secure and impossible to guess, even by your own mother.

2 Factor Protection

Finally, we have "two factor authentication", probably one of the easiest to use and understand high security measures for all major website and online services. The principle is very straight forward. When you login to Facebook, for example, for the first time on a new computer or an unrecognised web browser or service, Facebook will send you a text message containing a code that you must enter to prove that you are really you.

Even if somebody has your password they still can't login because they would also need access to your cell phone and the chances of them having both are extremely remote.

Most online services like Google, Microsoft, Twitter, Dropbox, Apple, Facebook and many others have two factor services available for their users and you should turn those services on. Many also have code generators built into their mobile applications that will generate a code without sending a text message. Twitter will send a request to their mobile application to authorise any unknown login attempts to your account. Two factor also has the advantage of letting you know that somebody else may have your password so you can immediately change it if you receive a login request you don't recognise.

The actual code you will be sent only works once, so don't worry if somebody accidentally sees that code on your phone if it pops up as a notification.

Take It Seriously

As we mentioned before, the security of your online accounts is something you should take seriously because it doesn't just affect you, it affects everybody you are connected with in the online world. Nothing is 100% secure but that doesn't mean you don't have to make it as hard as possible for crooks to steal your stuff.

So, create strong passwords, don't use the same password twice, turn on two factor authentication, don't click on links in dodgy looking emails, Facebook posts or Twitter messages and stay safe in the wide world of the internet.

Culture craves contact. We are in an age where we feel in constant connection with everyone, tapping into each other's lives through instant messaging and social media. It seems that the concept of doing things on your own, without external validation has become an alien concept. - Monday, 1 June, 2015